Arch Linux removes malicious inherited packages from user repository

Arch Linux administrators have removed three packages from the Arch User Repository, which the Arch community can add software to. One of the packages, intended for reading PDFs, collected information about systems.

The most recent message on the Aur mailing list shows that the packages are acroread 9.5.5-8, balz 1.20-3 and minergate 8.1-2. The commits to the packages have been rolled back and the account that made the changes has been canceled, Eli Schwartz of the Arch Linux team said. The discussion suggests that the packages were inherited because they were in orphaned status, meaning they are no longer being tracked. There is also criticism that the seriousness of the incident would not be too bad if Aur users did not install packages automatically, but inspect them first.

The contents of one of the modified packages, acroread, has been viewed by Bleeping Computer. The site writes that the intent of the software was to download a second file, which collects information about the user’s system. It then forwarded that information to the Pastebin service using its own API key. The malware therefore did very little at first. There would have been no way for the malware to update itself.

The Arch User Repository allows Arch users to share their own software with others, after which it can also end up in the official repository. Arch Linux is a distribution that emphasizes a minimalistic and customizable system. Package management is possible with Pacman software.